b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Irving A. Williamson, Chairman\n                                        Deanna Tanner Okun\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n                                        David S. Johanson\n\x0c     UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                         OFFICE OF INSPECTOR GENERAL\n                                 WASHINGTON, DC 20436\n\n\n\n\nAugust 16, 2012                                                            OIG-KK-011\n\n\nChairman Williamson:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report, Audit of\nSoftware Licensing, OIG-AR-12-10. In finalizing this report, we analyzed management\xe2\x80\x99s\ncomments to our draft report and have included those comments in their entirety as\nAppendix A.\n\nThis audit focused on whether the Commission is paying for all installed software. We\ncollected and analyzed information describing the software installed on the network, and\ncompared this to the Commission\xe2\x80\x99s proof of licensing for these products.\n\nThis report contains six recommendations for corrective action. In the next 30 days,\nplease provide me with your management decisions describing the specific actions that\nyou will take to implement each recommendation.\n\nThank you for the courtesies extended to the auditor during this evaluation.\n\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                            U.S. International Trade Commission\n                                                  Audit Report\n\n\n\n                                             Table of Contents\n\nResults of Audit ............................................................................................. 1\n\nProblem Area ................................................................................................ 1\n   Problem Area: The Commission did not know the software licensing obligations for\n   all applications installed on its network. ......................................................................... 1\n\nManagement Comments and Our Analysis ............................................... 4\nObjective, Scope, and Methodology ............................................................ 4\nAppendix A: Management Comments on Draft Report ...........................A\n\n\n\n\nOIG-AR-12-10                                             -i-\n\x0c\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n                                  Results of Audit\nThe purpose of this audit was to answer the question:\n\nIs the Commission paying for all installed software?\n\n       No. The Commission was not paying for all installed software.\n\nThe Commission did not have a complete record of all software installed on its network\nand was unaware of the licensing terms for some software that it had deliberately\ninstalled. As a result the Commission could not ensure that it had paid for all installed\nsoftware.\n\nThe Commission had proof of licensing for software products from 18 vendors. We\ncompared those to paid, commercial software applications from over 140 vendors we\nfound on the network. The problem we identified was that the Commission did not know\nthe software licensing obligations for all applications installed on its network. Before\nsoftware is installed on the network the license agreements should be understood and\napproved.\n\nUntil the Commission knows the software licensing obligations for applications installed\non its network, it cannot ensure that it is paying for all installed software.\n\n\n\n                                   Problem Area\n\n                                   Problem Area:\n           The Commission did not know the software licensing obligations\n                   for all applications installed on its network.\n\n\nThe Commission did not know the software licensing obligations for all applications\ninstalled on its network.\n\nThe Commission uses software that is licensed in different ways:\n\n   \xe2\x97\x8f Free software (freeware): this software is freely downloadable and usable by\n     anyone, for any reason, at no cost;\n   \xe2\x97\x8f Shareware: this software is freely downloadable, but the terms of its license\n     define whether fees must be paid depending on its use; and\n\n\n\nOIG-AR-12-10                               -1-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n   \xe2\x97\x8f   Commercial, paid software: this software is not typically available for download\n       without payment, and the terms of its licenses describe how it may be used, and\n       the fees associated with its use.\n\nWe compared the license terms for a sampling of software installed on the network with\nthe Commission\xe2\x80\x99s documentation for its purchased software licenses. We found that the\nCommission did not comply with the license terms for some of its installed software.\nBased on interviews with CIO staff, it appears that the Commission did not fully\nunderstand the licensing terms of some installed software.\n\nOur audit of installed software found at least one instance of \xe2\x80\x9ccracked\xe2\x80\x9d software.\nSoftware described as cracked indicates that someone has modified the original code of\nthe software to bypass or remove copy protections to allow the use of the software\nwithout paying for it. Software that has been tampered with in this way has also been\nfound to have been modified for nefarious purposes, including the compromise of\nnetworks and theft of data. For security reasons, cracked software should never be\nallowed to be installed on a Federal Government network. Cracked software is typically\nused when someone wants to use commercial software but does not want to pay for it. It\nis unclear why the software was installed on the network.\n\nThe Commission did not prevent or detect the installation of the cracked software, and\nwas unable to identify when it was installed, or by whom. This combination of events\nplaces the Commission at risk of violating license agreements, and subjects the\nCommission\xe2\x80\x99s network systems to additional risk.\n\nFor the last several years, when it detected a virus on a Commission workstation, the\nHelp Desk installed software that performed detection and eradication of malware. This\nsoftware was licensed as shareware. The terms of the shareware license indicated that it\ncould be used without payment for personal use, but it required payment if used as part of\na commercial support or help desk function. In this case, the Commission used the\nsoftware for free, when in fact it should have paid for each installation. Had the\nCommission understood the licensing terms, it could have either budgeted for its use or\npursued alternative means of identifying and eradicating malware.\n\nThe Commission also uses a wide range of paid commercial software to perform its\nwork. This includes operating systems, office suites, client application software, and\nenterprise database software. All of this software requires paid licenses, and each of\nthese licenses has different requirements. Software can be licensed per user, per device\n(workstations, servers, smart-phones, etc.), per site, or per organization.\n\nIn one instance, the Commission used a graphical software application that was\ndistributed to 318 workstations. The Commission believed that it owned a site license,\nmeaning that for a fixed fee, any and all Commission network users could use the\nsoftware in compliance with its licensing. We contacted the vendor of this software, and\n\n\nOIG-AR-12-10                               -2-\n\x0c                      U.S. International Trade Commission\n                                      Audit Report\n\n\nwere told that the license is for a maximum of 100 users, and no more. Because the\nCommission did not understand the terms of its license, it was potentially in violation of\nits agreement.\n\nIn many other instances, we found installations of paid software for which no records of a\npurchased license could be located. The Commission needs to verify the terms of its\ncurrent licenses and track the licenses so they can be reconciled with current use.\n\nComplex, expensive software can typically be expected to have complex licensing\nagreements. If these licensing agreements are not clearly understood, decisions may be\nmade to use software without regard to cost, which leads to one of two scenarios: (1) if\nproperly licensed, a tremendous amount of money can be spent to achieve something of\nminimal value to the organization; or (2) the organization is either unaware of or ignores\nthe fact that it is in violation of its software licensing agreements.\n\nDuring this audit we identified an expensive software package installed on more servers\nthan the Commission had licenses for. Because this software employs a complex\nlicensing scheme, the Commission did not understand its payment obligation. The CIO\nhad identified this problem and had begun correcting the situation prior to the start of this\naudit.\n\nThe Commission uses software with a range of licensing terms, ranging from simple and\nfree to complex and expensive. It has a responsibility to comply with all licenses of the\nsoftware it uses.\n\nRecommendation 1: Require and retain proof of proper licensing before the installation\nof software.\n\nRecommendation 2: Centralize records of licensing details for reconciliation purposes,\nincluding the terms of the license for efficient review.\n\nRecommendation 3: Add technical controls to prevent the installation of software by\nusers.\n\nRecommendation 4: Implement technical monitoring to detect the installation of\nsoftware, including details on when it was installed and by whom.\n\nRecommendation 5: Validate terms of current licenses.\n\nRecommendation 6: Remove software that is unlicensed.\n\n\n\n\nOIG-AR-12-10                                -3-\n\x0c                      U.S. International Trade Commission\n                                         Audit Report\n\n\n              Management Comments and Our Analysis\nOn August 9, 2012, Chairman Irving Williamson provided management comments on the\ndraft audit report. The Chairman agreed with our assessment that there is a problem area\nin that the Commission did not know the software licensing obligations for all\napplications installed on its network, and that the Commission will implement the\nrecommendations detailed to insure that the Commission complies with all licensing\nobligations installed on its network. The Chairman\xe2\x80\x99s response is provided in its entirety\nas Appendix A.\n\n\n\n                    Objective, Scope, and Methodology\nObjective:\nIs the Commission paying for all installed software?\n\nScope:\nThe scope of this audit included all production servers and workstations in use at the\nUSITC as of February 5, 2012.\n\nMethodology:\n\n       1. Use existing CIO tools (SCCM) to identify all software installed on the\n           ITCNet Active Directory domain.\n       2. Through inspection, identify all software installed on systems not on the\n           ITCNet Active Directory domain.\n       3. Obtain all licensing agreements for purchased software and reconcile against\n           list of installed software.\n       4. Identify any differences between installed and purchased software.\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-12-10                                 -4-\n\x0c               U.S. International Trade Commission\n                            Appendix\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nAppendix A: Management Comments on Draft\n\n\nOIG-AR-12-10                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870\xe2\x80\x99s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'